Puppet node.rb and foreman.rb fail

[ehelms]

rule=16 dec=deny_audit perm=execute auid=-1 pid=9107 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/etc/puppetlabs/puppet/node.rb ftype=text/x-ruby trust=0
rule=16 dec=deny_audit perm=open auid=-1 pid=7341 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/reports/foreman.rb ftype=text/x-ruby trust=0

[evgeni]

What action does one need to execute to trigger this? an agent run on a managed host?

[ekohl]

Normally a Puppet agent requests the catalog and we configure puppetserver to execute a file to get the ENC.

[master]
node_terminus = exec
external_nodes = /etc/puppetlabs/puppet/node.rb

This file is a Ruby script. Perhaps if it lived in /usr (like /usr/bin/foreman-puppet-node) this wouldn't be an issue?

The report that's sent after is also an odd one. Puppet loads more Ruby, so why is that allowed while this triggers something?

[ehelms]

What action does one need to execute to trigger this? an agent run on a managed host?

Just installation triggered it for me (with the puppet feature if using Katello).

[ekohl]

That's probably because the agent is started by the installer and retrieves the catalog.

I'm guessing the minimal reproducer is:

dnf -y install https://yum.puppet.com/puppet7-release-el-8.noarch.rpm fapolicyd
dnf -y install puppetserver
. /etc/profile.d/puppet-agent.sh
puppet config set --section server node_terminus exec
puppet config set --section server external_nodes /etc/puppetlabs/puppet/node.rb
puppetserver ca setup
systemctl enable --now puppetserver
puppet agent --test

[evgeni]

That's also what I assume, but then I'd expect test-puppet.bats to trigger this, and it did not for me after the PrivateTmp fix:

https://theforeman.org/2023/11/testing-a-foreman-installer-patch-with-packit-and-forklift.html